CVE-2026-6739
MediumCVSS 6.7Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles. This allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.
Risk Assessment
The organization may be exposed to unauthorized privilege escalation, which could lead to serious security breaches and loss of control over the system.
Recommendation
It is recommended to update Mattermost to the latest version to mitigate this vulnerability and review user permissions to limit the potential for privilege escalation.
Original NVD description (English source)
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656

